WO2023246060A1 - User authentication and authorization method and apparatus, and medium and device - Google Patents

Abstract

A user authentication and authorization method and apparatus, and a medium and an electronic device. The method comprises: in response to receiving an authentication request, which is sent by an access gateway, performing access authentication of a user terminal, wherein the authentication request is generated by the user terminal and is sent to the access gateway; initiating a cloud service authentication request to a cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal on the basis of the cloud service authentication request; and initiating a cloud network intercommunication detection request to a cloud network intercommunication detection module, so that the cloud network intercommunication detection module performs cloud network intercommunication detection of the user terminal on the basis of the cloud network intercommunication detection request. The collaboration of an access authentication function, a cloud service authentication function and a cloud network intercommunication detection function is realized, such that the availability of cloud resources can be ensured, and the convenience of a user using the cloud service can be improved.

Description

User authentication and authorization methods, devices, media and equipment

Cross-references to related applications

This disclosure claims priority to the Chinese patent application with application number 202210730355.0 and titled "User Authentication Authorization Method, Device, Medium and Equipment" submitted on June 24, 2022. The entire content of this Chinese patent application is incorporated by reference in This disclosure is ongoing.

Technical field

The present disclosure relates to the field of communication technology and the field of cloud computing, and in particular to a user authentication and authorization method, a user authentication and authorization device, a computer-readable storage medium and an electronic device.

Background technique

In cloud-network integration scenarios, a large number of users have both access and cloud service needs. Authentication and authorization of user terminals is an indispensable and important link in the process of user terminals using access services or cloud services.

In related technologies, cloud service authentication and cloud resource authorization are independent of the authentication service process on the access side. The authorization information returned by the authentication server is usually only related to the access service or data channel, such as IP (Internet Protocol) allocation, port, MTU (Maximum Transmission Unit, maximum transmission unit), PPP (Point to Point Protocol, Point-to-point protocols), etc., do not involve cloud resource application and activation, cloud service activation and other services. The lack of coordination between the two processes of access authentication and cloud service authentication makes it inconvenient for users to use cloud services and the availability of cloud resources cannot be guaranteed.

It should be noted that the information disclosed in the above background section is only used to enhance understanding of the background of the present disclosure, and therefore may include information that does not constitute prior art known to those of ordinary skill in the art.

Contents of the invention

Additional features and advantages of the disclosure will be apparent from the following detailed description, or, in part, may be learned by practice of the disclosure.

According to a first aspect of the present disclosure, a user authentication and authorization processing method is provided, which is applied to network access and cloud service authentication and cloud resource authorization. The method includes: in response to receiving an authentication request sent by an access gateway, performing Access authentication of the user terminal, wherein the authentication request is generated by the user terminal and sent to the access gateway; initiating a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module is based on the cloud service authentication module. The service authentication request performs cloud service authentication of the user terminal; and initiates a cloud network interoperability detection request to the cloud network interoperability detection module, so that the cloud network interoperability detection module performs cloud network interoperability detection request of the user terminal based on the cloud network interoperability detection request. Network interoperability detection.

In an optional implementation, initiating a cloud service authentication request to the cloud service authentication module so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request includes: Send a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module obtains cloud service authentication information based on the cloud service authentication request, and performs cloud service authentication of the user terminal based on the cloud service authentication information.

In an optional implementation, after receiving the cloud service authentication request, the cloud service authentication module initializes the cloud service authentication information corresponding to the user terminal, and completes the cloud service authentication information based on the cloud service authentication information. Cloud service authentication of the user terminal obtains cloud resource authorization parameters, and returns the cloud service authentication result and the cloud resource authorization parameters to the authentication server.

In an optional implementation manner, the cloud network interoperability detection request is initiated to the cloud network interoperability detection module, so that the cloud network interoperability detection module performs cloud network interoperability detection on the user terminal based on the cloud network interoperability detection request. Interoperability detection includes: initiating a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module obtains cloud-network interoperability detection parameters based on the cloud-network interoperability detection request, and detects cloud-network interoperability based on the cloud-network interoperability detection module. Parameters are used to detect cloud-network interoperability of the user terminal.

In an optional implementation, after receiving the cloud network interoperability detection request, the cloud network interoperability detection module initializes the detection record of the user terminal, and determines the cloud network interoperability detection parameter according to the cloud network interoperability detection parameter. Interoperability detection strategy, and deliver the parameter information of the cloud resource pool access end and the cloud network interoperability detection strategy to the access gateway, so that the access gateway provides the cloud resource pool with an interoperability detection strategy based on the cloud network interoperability detection strategy. The access terminal initiates cloud-network interoperability detection and returns the cloud-network interoperability detection result to the cloud-network interoperability detection module.

In an optional implementation, if the access authentication of the user terminal passes, the method further includes: returning the access authentication result and access authorization parameter corresponding to the user terminal to the access Gateway, so that the access gateway configures according to the access authentication result and the access authorization parameter.

In an optional implementation, if the cloud service authentication of the user terminal passes, the method further includes: receiving the cloud service authentication result and cloud resources corresponding to the user terminal returned by the cloud service authentication module. Authorization parameters: Return the cloud service authentication result and the cloud resource authorization parameter corresponding to the user terminal to the access gateway, so that the access gateway Configure resource authorization parameters.

In an optional implementation, the method further includes: receiving the cloud network interoperability detection result corresponding to the user terminal returned by the cloud network interoperability detection module, and converting the cloud network interoperability detection result corresponding to the user terminal into The interoperability detection result is returned to the access gateway, so that the access gateway configures according to the cloud network interoperability detection result.

According to a second aspect of the present disclosure, a user authentication and authorization processing device is provided, which is applied to network access and cloud service authentication and cloud resource authorization. The device includes: an access authentication module, configured to respond to receiving the The authentication request sent by the gateway performs access authentication of the user terminal, where the authentication request is generated by the user terminal and sent to the access gateway; a cloud service authentication initiation module is used to initiate cloud services to the cloud service authentication module Authentication request, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request; a cloud network interoperability detection initiation module, used to initiate a cloud network interoperability detection request to the cloud network interoperability detection module, So that the cloud network interoperability detection module performs cloud network interoperability detection of the user terminal based on the cloud network interoperability detection request.

According to a third aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored. When the computer program is executed by a processor, the above-mentioned user authentication and authorization processing method is implemented.

According to a fourth aspect of the present disclosure, an electronic device is provided, including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the operation via executing the executable instructions. Execute the above user authentication and authorization processing method.

It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only, and do not limit the present disclosure.

Description of the drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. Obviously, the drawings in the following description are only some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.

Figure 1 shows the system architecture executed by a user authentication and authorization processing method in this exemplary embodiment;

Figure 2 shows a flow chart of a user authentication and authorization processing method in this exemplary embodiment;

Figure 3 shows an access authentication flow chart executed by the authentication server in this exemplary embodiment;

Figure 4 shows a cloud service authentication flow chart executed by the cloud service authentication module in this exemplary embodiment;

Figure 5 shows a flow chart of feedback of cloud-network interoperability detection results executed by the cloud-network interoperability detection module in this exemplary embodiment;

Figure 6 shows an interaction example diagram of user authentication and authorization in this exemplary embodiment;

Figure 7 shows a structural block diagram of a user authentication and authorization processing device in this exemplary embodiment;

FIG. 8 shows an electronic device used to implement the above user authentication and authorization processing method in this exemplary embodiment.

Detailed ways

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in various forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concepts of the example embodiments. To those skilled in the art. The described features, structures or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the disclosure. However, those skilled in the art will appreciate that the technical solutions of the present disclosure may be practiced without one or more of the specific details described, or other methods, components, devices, steps, etc. may be adopted. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the disclosure.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings represent the same or similar parts, and thus their repeated description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software form, or implemented in one or more hardware modules or integrated circuits, or implemented in different networks and/or processor devices and/or microcontroller devices.

In related technologies, access authentication and authorization, cloud service authentication and authorization adopt independent processes, lacking coordination, and user terminals need to complete authentication twice. This method may have the following problems: it is inconvenient for users; the authentication information is fragmented, which increases security risks; the authentication channel and access channel of the cloud business are not guaranteed to be consistent, and the cloud business authentication and authorization cannot guarantee that the cloud business is available; it is not conducive to implementation The synergistic advantages of access service providers and cloud service providers.

In view of one or more of the above problems, exemplary embodiments of the present disclosure provide a user authentication authorization processing method. This user authentication and authorization processing method can be applied to scenarios where user terminals use access services and cloud services at the same time.

Specifically, the user authentication and authorization processing method can be deployed in the network architecture 100 shown in Figure 1 and executed by the authentication server 110 in the network architecture 100. The network architecture 100 may include: an authentication server 110, a cloud service authentication module 120, a cloud network interoperability detection module 130, an access gateway 140, a user terminal 150, and a cloud resource pool access terminal 160.

Among them, the authentication server 110 includes but is not limited to AAA server or DN-AAA (Data Network-Authentication, Authorization, Accounting) server of the 5G network, etc., and can be connected with the cloud service authentication module 120, the cloud network interoperability detection module 130 and the access gateway. 140 communicates, can receive the authentication request sent by the access gateway 140, can obtain the cloud service authentication results and cloud resource authorization parameters and other data returned by the cloud service authentication module 120, and can obtain the access data returned by the cloud network interoperability detection module 130. Data such as interoperability detection results between the gateway and cloud resources can also be returned to the access gateway 140, such as authorization information. The cloud service authentication module 120 may be responsible for cloud service authentication, generating and maintaining cloud resource authorization parameters. The cloud network interoperability detection module 130 may be responsible for detecting and maintaining network connectivity between the access gateway 140 and the cloud resource pool access terminal 160, and returning the detection results to the authentication server. The access gateway 140 can send the authentication request to the authentication server 110 when the user terminal 150 initiates the authentication request, and obtain access authorization parameters, cloud resource authorization parameters, cloud network interoperability detection results and other information from the authentication server 110 to complete the access. The local configuration of the gateway. The user terminal 150 can be mounted on smart devices capable of network communication, such as smartphones, computers, smart monitoring systems, and vehicle-mounted systems. The cloud resource pool access terminal 160 can provide cloud resource access services.

Figure 2 shows a schematic flow of a user authentication and authorization processing method in this exemplary embodiment. It is applied to network access and cloud service authentication and cloud resource authorization, and may include the following steps S210 to step S230:

Step S210: In response to receiving the authentication request sent by the access gateway, perform access authentication of the user terminal, where the authentication request is generated by the user terminal and sent to the access gateway;

Step S220: Initiate a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request;

Step S230: Initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection request.

During the above user authentication and authorization processing process, collaboration between access authentication, cloud service authentication, and cloud network interoperability detection is achieved. On the one hand, it unifies the authentication process of access business and cloud business, simplifies the user business use process to a certain extent, enhances the convenience for users to use cloud business, and avoids security issues caused by the fragmentation of authentication information through functional collaboration. , catalyzing the rapid and healthy development of cloud network business. On the other hand, through the cloud-network interoperability detection function, the user authentication and authorization mechanism is further improved, which can avoid the problem of inaccessibility of cloud resources caused by inconsistent authentication channels and access channels for cloud services, thereby ensuring the availability of cloud resources.

Each step in Figure 2 is described in detail below.

Step S210: In response to receiving the authentication request sent by the access gateway, perform access authentication of the user terminal, where the authentication request is generated by the user terminal and sent to the access gateway.

The user terminal can initiate authentication to the access gateway, and the access gateway sends the authentication request of the user terminal to the authentication server. After receiving the authentication request sent by the access gateway, the authentication server can perform access authentication on the user terminal. .

Specifically, the above-mentioned access authentication of the user terminal can be implemented through the following steps: parsing the authentication request to obtain the access authentication information; performing access authentication on the user terminal based on the access authentication information. The access authentication information includes but is not limited to user name, user account and other information. The details can be determined by the access authentication mechanism configured by the authentication server, and are not specifically limited here.

After the access authentication is completed, the authentication server can return the access authentication result to the access gateway, so that the access gateway can feed back the access authentication result to the user terminal.

In an optional implementation, if the access authentication of the user terminal passes, the following steps may also be performed: return the access authentication result and access authorization parameters corresponding to the user terminal to the access gateway, so that the access The gateway is configured based on the access authentication results and access authorization parameters.

When the access authentication of the user terminal passes, the authentication server can feed back access authentication passing information and access authorization parameters to the access gateway, so that the access gateway can configure the access authorization parameters for the user terminal, so that the user terminal can Use access services normally.

If the access authentication of the user terminal fails, the authentication server can directly return access authentication failure information to the access gateway, and the access gateway feeds back the access authentication failure information to the user terminal to end this authentication and authorization process. .

For example, as shown in Figure 3, an access authentication flow chart executed by an authentication server is provided, which may include the following steps:

Step S301: Receive the authentication request sent by the access gateway;

Step S302, parse the authentication information to obtain access authentication information;

Step S303: Perform access authentication on the user terminal according to the access authentication information;

Step S304: Determine whether the access authentication passes. If it passes, execute step S305. If it fails, execute step S306;

Step S305: Return access authentication passing information and access authorization parameters to the access gateway;

Step S306: Return access authentication failure information to the access gateway.

It should be noted that after the authentication server access authentication is completed, if the access authentication is passed, the access authentication result and access authorization parameters can be returned to the access gateway in real time. You can also wait for the execution of steps S220 and S230 to complete. The information that needs to be returned to the access gateway is returned together to reduce the number of communications.

After completing the access authentication, the authentication server can determine whether the user terminal has cloud services. If not, it can directly return the access authentication result to the access gateway; if so, it can continue to step S220 with reference to Figure 2.

Step S220: Initiate a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request.

The authentication server may initiate a cloud service authentication request to the cloud service authentication module after determining that the user terminal has the cloud service. After receiving the cloud service authentication request, the cloud service authentication module can perform cloud service authentication on the user terminal according to the received cloud service authentication request.

In an optional implementation manner, the above-mentioned initiating a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request. Specifically, this can be achieved through the following steps: The cloud service authentication module sends a cloud service authentication request, so that the cloud service authentication module obtains cloud service authentication information based on the cloud service authentication request, and performs cloud service authentication of the user terminal based on the cloud service authentication information.

Cloud service authentication information may include, but is not limited to, part or all of user name, password, cloud service identifier, cloud service domain name, cloud service IP address and other information. For example, the authentication server can directly use the user name and password of the user connected to the user terminal as the cloud service authentication information. The details can be determined by the cloud service authentication mechanism configured in the cloud service authentication module, which is not specifically limited here.

For example, the authentication server can generate cloud service authentication information based on the access information, append the cloud service authentication information to the cloud service authentication request, and send the cloud service authentication request with the cloud service authentication information appended to the cloud service authentication module. . After receiving the cloud service authentication request, the cloud service authentication module can obtain the cloud service authentication information by parsing the cloud service authentication request, and perform cloud service authentication on the user terminal based on the cloud service authentication information. The access information may include the access user's user name, password, session ID, user identity, and information obtained by the authentication server after completing user access authentication.

For example, the authentication server may append the access authentication information to the cloud service authentication request, and send the cloud service authentication request to the cloud service authentication module. The cloud service authentication module obtains access authentication information by parsing the cloud service authentication request; generates cloud service authentication information based on the access authentication information; and performs cloud service authentication on the user terminal based on the cloud service authentication information.

For example, the authentication server may send the cloud service authentication request to the cloud service authentication module. The cloud service authentication module can respond to the received cloud service authentication request, query the local cache, obtain the historical authentication record of the user accessed by the user terminal, and obtain the cloud service authentication information based on the historical authentication record; verify the user based on the cloud service authentication information The terminal performs cloud service authentication.

For example, the authentication server may send the cloud service authentication request to the cloud service authentication module. The cloud service authentication module can respond to the received cloud service authentication request, obtain cloud service authentication information from a third-party module or through external API (Application Programming Interface, application programming interface) configuration; perform authentication on the user terminal based on the cloud service authentication information Cloud business certification. Among them, the third-party module represents a source of cloud service authentication information, such as an external system used to manage and maintain users' cloud service authentication information.

In the above process, the authentication server realizes the cloud service authentication of the user terminal through interaction with the cloud service authentication module, connecting the access authentication service and the cloud service authentication service to simplify the user authentication and authorization process, thereby improving user authentication and authorization. s efficiency.

After receiving the cloud service authentication request, the cloud service authentication module can also initialize the cloud service authentication information corresponding to the user terminal; complete the cloud service authentication of the user terminal according to the cloud service authentication information, obtain the cloud resource authorization parameters; and return the cloud service to the authentication server. Authentication results and cloud resource authorization parameters, so that the subsequent authentication server can feed back the cloud service authentication results and cloud resource authorization parameters to the access gateway.

In an optional implementation, if the cloud service authentication of the user terminal passes, the following steps may also be performed: receiving the cloud service authentication result and cloud resource authorization parameters corresponding to the user terminal returned by the cloud service authentication module; The corresponding cloud service authentication result and cloud resource authorization parameters are returned to the access gateway, so that the access gateway performs configuration according to the cloud service authentication result and cloud resource authorization parameters.

When the cloud service authentication of the user terminal passes, the cloud service authentication module can return the cloud service authentication passing information and cloud resource authorization parameters to the authentication server, and feed back the cloud service authentication passing information and cloud resource authorization parameters to the access gateway through the authentication server. , so that the access gateway can configure the cloud resource authorization parameters for the user terminal, so that the user terminal can use cloud services normally.

The information returned by the cloud service authentication module to the authentication server may also include but is not limited to: some or all of the cloud service identifier, cloud service domain name and other information.

Cloud resource authorization parameters may include but are not limited to some or all of the following information:

(1) The domain name and IP address of the cloud resource pool access terminal;

(2) Resource type (such as virtual machine, container/pod, physical machine), vCPU (Virtual Central Processing Unit, virtual processor), memory, storage and other parameters. A pod can be viewed as a collection of containers.

If the cloud service authentication of the user terminal fails, the cloud service authentication module can directly return the cloud service authentication failed information to the authentication server, and the authentication server returns the cloud service authentication failed information to the user terminal through the access gateway to end this section. Sub-authentication and authorization process.

As an example, as shown in Figure 4, a cloud service authentication flow chart executed by the cloud service authentication module is provided, which may include the following steps:

Step S401: In response to the received cloud service authentication request, perform cloud service authentication;

Step S402, obtain cloud service authentication results and cloud resource authorization parameters;

Step S403: Determine whether the cloud service authentication result passes. If it passes, execute step S404. If it fails, execute step S405;

Step S404: Return cloud service authentication passing information and cloud resource authorization parameters to the authentication server;

Step S405: Return cloud service authentication failure information to the authentication server.

It should be noted that after the cloud task authentication is completed, the authentication server can return the cloud service authentication results and cloud resource authorization parameters to the access gateway in real time if the cloud service authentication passes. It can also wait for the completion of step S230 and return the required information. The information to the access gateway is returned together to reduce the number of communications.

After the cloud service authentication is completed, you can continue to refer to Figure 2 and perform step S230 to perform cloud network interoperability detection.

Step S230: Initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection request.

The authentication server can send a cloud-network interoperability detection request to the cloud-network interoperability detection module. After receiving the cloud network interoperability detection request, the cloud network interoperability detection module can perform cloud network interoperability detection on the user terminal according to the cloud network interoperability detection request.

In an optional implementation, the above-mentioned method of initiating a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection of the user terminal based on the cloud-network interoperability detection request, can be done in the following manner To achieve: Initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module obtains the cloud-network interoperability detection parameters based on the cloud-network interoperability detection request, and performs cloud-network interoperability of the user terminal based on the cloud-network interoperability detection parameters. detection.

The parameters carried by the cloud network interoperability detection request may include but are not limited to: user identity, access gateway parameters (such as IP address, etc.), cloud service identifier, cloud service domain name, cloud service IP address, cloud resource authorization parameters and other information Part or all of it can be determined by the cloud-network interoperability detection mechanism configured in the cloud-network interoperability detection module, and there is no specific limit here.

As an example, as shown in Figure 5, a flow chart of feedback of cloud-network interoperability detection results executed by the cloud-network interoperability detection module is provided, which may include the following steps:

Step S501: After receiving the cloud-network interoperability detection request, the cloud-network interoperability detection parameters can be obtained by parsing the cloud-network interoperability detection request;

Step S502, determine whether the preset detection period is met, if not, continue to step S503, if so, jump to step S504;

Step S503, query the locally stored historical detection records of the previous detection cycle;

Step S504, determine whether the historical detection record is queried, if not, continue to step S505, if so, jump to step S506;

Step S505: Initiate cloud-network interoperability detection, receive cloud-network interoperability detection results, and update detection records;

Step S506: Return the cloud network interoperability detection results.

Historical detection records include but are not limited to the following parameters: source parameters, destination parameters, detection methods, and detection results. Among them, the source end and the destination end can respectively refer to the access gateway and the cloud resource pool access end. The source end parameters can be, for example, the IP address of the access gateway, and the destination end parameters can be, for example, the domain name and IP address of the cloud resource pool access end; the detection method can be Including but not limited to ping, HTTP (Hyper Text Transfer Protocol, Hypertext Transfer Protocol) access, etc.; detection results include but are not limited to the average of single or multiple detection results obtained during the detection process, such as delay, packet loss rate average etc. Among them, ping can be used to determine whether the source end can successfully exchange (send and receive) data packets with the destination end, and then based on the returned information, infer whether the TCP/IP parameters are set correctly, whether the operation is normal, whether the network is smooth, etc. HTTP is a request-response protocol that usually runs on top of the TCP protocol and can specify the messages that the source end may send to the destination end and the response received.

It should be noted that by setting the detection cycle in the steps shown in Figure 5, the cloud-network interoperability detection module does not need to perform cloud-network interoperability detection every time, which can shorten the time for returning cloud-network interoperability detection results to a certain extent and further improve User authentication and authorization efficiency. In the actual application process, the cloud-network interoperability detection can also be performed after receiving the cloud-network interoperability detection request to obtain the latest detection results. The two methods of periodic detection and real-time detection can be set according to actual needs, and there are no specific limitations here.

The cloud-network interoperability detection module can obtain the cloud-network interoperability detection parameters through any of the following methods, which are not specifically limited here.

For example, the authentication server can obtain the cloud-network interoperability detection parameters from the access authentication information, cloud service authentication information, and cloud resource authorization parameters, and append the cloud-network interoperability detection parameters to the cloud-network interoperability detection request and send it to the cloud-network interoperability detection module. The cloud-network interoperability detection module can obtain the cloud-network interoperability detection parameters by parsing the cloud-network interoperability detection request.

For example, the authentication server can append access authentication information, cloud service authentication information, and cloud resource authorization parameters to the cloud-network interoperability detection request and send it to the cloud-network interoperability detection module, and the cloud-network interoperability detection module obtains the access authentication information, Cloud network interoperability detection parameters are obtained from the cloud service authentication information and cloud resource authorization information.

Exemplarily, the cloud-network interoperability detection module may respond to the received cloud-network interoperability detection request and generate cloud-network interoperability detection parameters based on the historical detection records of the previous detection cycle.

Exemplarily, the cloud-network interoperability detection module may, in response to the received cloud-network interoperability detection request, obtain the cloud-network interoperability detection parameters from an external system that manages and maintains the user's cloud interoperability detection parameters or through external API configuration.

Among them, when the above-mentioned authentication server or cloud-network interoperability detection module obtains the cloud-network interoperability detection parameters from the access authentication information, cloud service authentication information, and cloud resource authorization parameters, the authentication server or cloud-network interoperability detection module can obtain the cloud-network interoperability detection parameters from the access authentication information. Obtain the source parameters, such as the IP address of the access gateway; obtain the destination detection parameters from the cloud resource authorization parameters, such as the IP address of the cloud resource pool access end.

In the above process, the authentication server realizes cloud network interoperability detection through interaction with the cloud network interoperability detection module, which can ensure the availability of cloud resources and thereby improve the user's cloud resource access experience.

In an optional implementation, after receiving the cloud-network interoperability detection request, the cloud-network interoperability detection module initializes the detection record of the user terminal; determines the cloud-network interoperability detection strategy according to the cloud-network interoperability detection parameters; and downloads the download to the access gateway. Send the parameter information of the cloud resource pool access end and the cloud network interoperability detection strategy, so that the access gateway initiates the cloud network interoperability detection to the cloud resource pool access end based on the cloud network interoperability detection strategy, and returns the cloud network interoperability detection to the cloud network interoperability detection module result.

In the above process, the cloud network interoperability detection module realizes interoperability detection between the access gateway and the cloud resource pool access end through interaction with the access gateway. By detecting and maintaining the interoperability between the access gateway and the cloud resource pool access end, Network connectivity between cloud resources ensures that authorized cloud resource services can be accessed by user terminals.

In addition, the cloud-network interoperability detection module can also determine the cloud-network interoperability detection strategy of the user terminal based on this cache; the cloud-network interoperability detection module can also configure the cloud-network interoperability detection strategy of the user terminal from an external device through the external API port.

In an optional implementation, the cloud network interoperability detection result corresponding to the user terminal returned by the cloud network interoperability detection module is received, and the cloud network interoperability detection result corresponding to the user terminal is returned to the access gateway, so that the access gateway The ingress gateway is configured based on the cloud network interoperability detection results.

During the above process, the authentication server can feedback the cloud-network interoperability detection results to the access gateway to prompt the access gateway that the user terminal that has been authenticated and authorized can access the cloud resource pool access terminal.

In an optional implementation, after receiving the cloud service authentication result returned by the cloud service authentication module, the cloud resource authorization parameters, and the cloud network interoperability detection result returned by the cloud network interoperability detection module, the authentication server can receive Input authentication results, access authorization parameters, cloud service authentication results and cloud resource authorization parameters, generate authorization information, and return the authorization information to the access gateway.

The authorization information can be defined according to the TLV (Tag, length, value, attribute type, length, value) format. Among them, the attribute type can be used to describe the type of authorization information returned by the authentication server to the access gateway, which can include but is not limited to the following types: user identity identifier, access service identifier, access user's IP address, cloud service identifier, cloud resource Authorization parameters (such as vCPU, memory, disk size), cloud network interoperability detection parameters (encapsulation type, access gateway IP address, cloud resource pool access end address, etc.), cloud network interoperability detection results, etc. Length can be used to describe the length of the attribute value corresponding to the corresponding attribute type. Values can be used to describe the attribute value corresponding to the corresponding attribute type.

When the authentication server returns authorization information to the access gateway, the transmission protocol used may include but is not limited to the Radius (Remote Authentication Dial-In User Server, Remote Authentication Dial-In User Service) protocol.

In an optional implementation, an interaction example diagram of user authentication and authorization is also provided, as shown in Figure 6 .

The authentication server may perform step S601: in response to receiving the authentication request sent by the access gateway, perform access authentication of the user terminal; initiate a cloud service authentication request to the cloud service authentication module; initiate cloud network interoperability detection to the cloud network interoperability detection module ask;

The cloud service authentication module can perform step S602: obtain cloud service authentication parameters based on the cloud service authentication request, perform cloud service authentication of the user terminal according to the cloud service authentication parameters, and return the cloud service authentication results and cloud resource authorization parameters to the authentication server;

The cloud-network interoperability detection module can perform step S603: obtain cloud-network interoperability detection parameters based on the cloud-network interoperability detection request, perform cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection parameters, and return the cloud-network interoperability detection results to the authentication server;

The authentication server may perform step S604: determine the authorization information based on the access authentication results, access authorization parameters, cloud service authentication results, cloud resource authorization parameters and cloud network interoperability detection results, and return the authorization information to the access gateway to enable access The gateway completes local configuration.

In the above process, when the user initiates authentication, the authentication server completes the access authentication, cloud service authentication, and cloud-network interoperability detection, and carries the access authorization parameters, cloud resource authorization parameters, and cloud-network interoperability detection results in the authorization information returned by the authentication server. , open up the authentication process of access business and cloud business, and the access gateway completes the configuration according to the authorization information, which can simplify the user's business use process, enhance the convenience and security of users' use of cloud business, and thus catalyze the rapid and healthy development of cloud network business .

Exemplary embodiments of the present disclosure also provide a user authentication and authorization processing device, which is applied to network access and cloud service authentication and cloud resource authorization. As shown in Figure 7, the user authentication and authorization processing device 700 may include:

The access authentication module 710 is configured to perform access authentication of the user terminal in response to receiving an authentication request sent by the access gateway, where the authentication request is generated by the user terminal and sent to the access gateway;

The cloud service authentication initiation module 720 is configured to initiate a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request;

The cloud-network interoperability detection initiating module 730 is configured to initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection request.

In an optional implementation, the cloud service authentication initiation module 720 may be configured to: send a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module obtains the cloud service authentication parameters based on the cloud service authentication request, And perform cloud service authentication of the user terminal according to the cloud service authentication parameters.

In an optional implementation, after receiving the cloud service authentication request, the cloud service authentication module can initialize the cloud service authentication information corresponding to the user terminal, and complete the cloud service authentication of the user terminal based on the cloud service authentication information to obtain the cloud service authentication request. Resource authorization parameters, and returns the cloud service authentication results and cloud resource authorization parameters to the authentication server.

In an optional implementation, the cloud-network interoperability detection initiating module 730 may be configured to: initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module obtains data based on the cloud-network interoperability detection request. Cloud network interoperability detection parameters, and cloud network interoperability detection of user terminals is performed based on the cloud network interoperability detection parameters.

In an optional implementation manner, after receiving the cloud-network interoperability detection request, the cloud-network interoperability detection module initializes the detection record of the user terminal, determines the cloud-network interoperability detection strategy according to the cloud-network interoperability detection parameters, and reports to the access The gateway delivers the parameter information of the cloud resource pool access end and the cloud network interoperability detection policy, so that the access gateway initiates cloud network interoperability detection to the cloud resource pool access end based on the cloud network interoperability detection policy, and returns the cloud network interoperability detection module to the cloud network interoperability detection module. Exchange test results.

In an optional implementation, if the access authentication of the user terminal passes, the user authentication and authorization processing device 700 may also include: an access authentication feedback module, configured to obtain the access authentication result corresponding to the user terminal and The access authorization parameters are returned to the access gateway, so that the access gateway can configure based on the access authentication results and the access authorization parameters.

In an optional implementation, if the cloud service authentication of the user terminal passes, the user authentication and authorization processing device 700 may also include: a cloud service authentication feedback module, and the cloud service authentication feedback module may be configured to: receive cloud service authentication. The service authentication module returns the cloud service authentication result and cloud resource authorization parameters corresponding to the user terminal; returns the cloud service authentication result and cloud resource authorization parameters corresponding to the user terminal to the access gateway, so that the access gateway can authenticate according to the cloud service Configure the results and cloud resource authorization parameters.

In an optional implementation, the user authentication and authorization processing device 700 may also include: an interoperability detection feedback module, configured to receive the cloud-network interoperability detection result corresponding to the user terminal returned by the cloud-network interoperability detection module, and The cloud network interoperability detection result corresponding to the user terminal is returned to the access gateway, so that the access gateway performs configuration according to the cloud network interoperability detection result.

The specific details of each part of the above-mentioned user authentication and authorization processing device 700 have been described in detail in the implementation of the method part. For undisclosed details, please refer to the implementation of the method part, so they will not be described again.

Exemplary embodiments of the present disclosure also provide a computer-readable storage medium on which a program product capable of implementing the user authentication and authorization processing method described above in this specification is stored. In some possible implementations, various aspects of the present disclosure can also be implemented in the form of a program product, which includes program code. When the program product is run on an electronic device, the program code is used to cause the electronic device to execute the above-mentioned instructions in this specification. The steps according to various exemplary embodiments of the present disclosure are described in the "Exemplary Methods" section. The program product may take the form of a portable compact disk read-only memory (CD-ROM) and include the program code, and may be run on an electronic device, such as a personal computer. However, the program product of the present disclosure is not limited thereto. In this document, a readable storage medium may be any tangible medium containing or storing a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.

The Program Product may take the form of one or more readable media in any combination. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. More specific examples (non-exhaustive list) of readable storage media include: electrical connection with one or more conductors, portable disk, hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.

A computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. A readable signal medium may also be any readable medium other than a readable storage medium that can send, propagate, or transport the program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any suitable medium, including but not limited to wireless, wireline, optical cable, RF, etc., or any suitable combination of the foregoing.

Program code for performing the operations of the present disclosure may be written in any combination of one or more programming languages, including object-oriented programming languages such as Java, C++, etc., as well as conventional procedural programming. Language—such as "C" or a similar programming language. The program code may execute entirely on the user's computing device, partly on the target user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or executed on the server. In situations involving remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device, such as provided by an Internet service. (business comes via Internet connection).

Exemplary embodiments of the present disclosure also provide an electronic device capable of implementing the above user authentication and authorization processing method. An electronic device 800 according to such an exemplary embodiment of the present disclosure is described below with reference to FIG. 8 . The electronic device 800 shown in FIG. 8 is only an example and should not bring any limitations to the functions and usage scope of the embodiments of the present disclosure.

As shown in Figure 8, electronic device 800 may take the form of a general-purpose computing device. The components of the electronic device 800 may include, but are not limited to: at least one processing unit 810, at least one storage unit 820, a bus 830 connecting different system components (including the storage unit 820 and the processing unit 810), and a display unit 840.

The storage unit 820 stores program code, which can be executed by the processing unit 810, so that the processing unit 810 performs the steps according to various exemplary embodiments of the present disclosure described in the "Example Method" section of this specification to ensure cloud resources. availability and improve users’ convenience in using cloud services.

Specifically, the processing unit 810 can perform the following steps:

In response to receiving the authentication request sent by the access gateway, perform access authentication of the user terminal, wherein the authentication request is generated by the user terminal and sent to the access gateway;

Initiate a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request;

Initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection request.

In an optional implementation, the above-mentioned initiating a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request, may include the following steps: Authentication to the cloud service The module sends a cloud service authentication request, so that the cloud service authentication module obtains cloud service authentication parameters based on the cloud service authentication request, and performs cloud service authentication of the user terminal based on the cloud service authentication parameters.

In an optional implementation, after receiving the cloud service authentication request, the cloud service authentication module can initialize the cloud service authentication information corresponding to the user terminal, and complete the cloud service authentication of the user terminal based on the cloud service authentication information to obtain the cloud service authentication request. Resource authorization parameters, and returns the cloud service authentication results and cloud resource authorization parameters to the authentication server.

In an optional implementation, the above-mentioned initiating a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection of the user terminal based on the cloud-network interoperability detection request, may include the following steps : Initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module obtains the cloud-network interoperability detection parameters based on the cloud-network interoperability detection request, and performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection parameters.

In an optional implementation, after receiving the cloud-network interoperability detection request, the cloud-network interoperability detection module can initialize the detection record of the user terminal, determine the cloud-network interoperability detection strategy according to the cloud-network interoperability detection parameters, and provide the The ingress gateway delivers the parameter information of the cloud resource pool access end and the cloud network interoperability detection policy, so that the access gateway initiates cloud network interoperability detection to the cloud resource pool access end based on the cloud network interoperability detection policy, and returns the cloud network interoperability detection strategy to the cloud network interoperability detection module. Network interoperability test results.

In an optional implementation, if the access authentication of the user terminal passes, the following steps may also be performed: returning the access authentication result and access authorization parameters corresponding to the user terminal to the access gateway, so that the access The gateway is configured based on the access authentication results and access authorization parameters.

In an optional implementation, if the cloud service authentication of the user terminal passes, the following steps may also be performed: receiving the cloud service authentication result and cloud resource authorization parameters corresponding to the user terminal returned by the cloud service authentication module; The corresponding cloud service authentication result and cloud resource authorization parameters are returned to the access gateway, so that the access gateway performs configuration according to the cloud service authentication result and cloud resource authorization parameters.

In an optional implementation, the following steps may also be performed: receiving the cloud-network interoperability detection result corresponding to the user terminal returned by the cloud-network interoperability detection module, and returning the cloud-network interoperability detection result corresponding to the user terminal to the interface. Ingress gateway, so that the access gateway can be configured based on the cloud network interoperability detection results.

During the above user authentication and authorization processing process, collaboration between access authentication, cloud service authentication, and cloud network interoperability detection is achieved. On the one hand, it unifies the authentication process of access business and cloud business, simplifies the user business use process to a certain extent, enhances the convenience for users to use cloud business, and avoids security issues caused by the fragmentation of authentication information through functional collaboration. , catalyzing the rapid and healthy development of cloud network business. On the other hand, through the cloud-network interoperability detection function, the user authentication and authorization mechanism is further improved, which can avoid the problem of inaccessibility of cloud resources caused by inconsistent authentication channels and access channels for cloud services, thereby ensuring the availability of cloud resources.

The storage unit 820 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 821 and/or a cache storage unit 822, and may further include a read-only storage unit (ROM) 823.

Storage unit 820 may also include a program/utility 824 having a set of (at least one) program modules 825 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples, or some combination, may include the implementation of a network environment.

Bus 830 may be a local area representing one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or using any of a variety of bus structures. bus.

Electronic device 800 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, Bluetooth device, etc.), may also communicate with one or more devices that enable a user to interact with electronic device 800, and/or with Any device that enables the electronic device 800 to communicate with one or more other computing devices (eg, router, modem, etc.). This communication may occur through input/output (I/O) interface 850. Furthermore, the electronic device 800 may also communicate with one or more networks (eg, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through a network adapter 860. As shown, network adapter 860 communicates with other modules of electronic device 800 via bus 830. It should be understood that, although not shown in the figures, other hardware and/or software modules may be used in conjunction with electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.

Through the above description of the embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or can be implemented by software combined with necessary hardware. Therefore, the technical solution according to the embodiment of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to cause a computing device (which may be a personal computer, a server, a terminal device, a network device, etc.) to execute a method according to an exemplary embodiment of the present disclosure.

In addition, the above-mentioned drawings are only schematic illustrations of processes included in the methods according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It is readily understood that the processes shown in the above figures do not indicate or limit the temporal sequence of these processes. In addition, it is also easy to understand that these processes may be executed synchronously or asynchronously in multiple modules, for example.

It should be noted that although several modules or units of equipment for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to exemplary embodiments of the present disclosure, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of one module or unit described above may be further divided into being embodied by multiple modules or units.

Those skilled in the art will understand that various aspects of the present disclosure may be implemented as systems, methods, or program products. Therefore, various aspects of the present disclosure may be embodied in the following forms, namely: a complete hardware implementation, a complete software implementation (including firmware, microcode, etc.), or an implementation combining hardware and software aspects, which may be collectively referred to herein as "Circuit", "Module" or "System". Other embodiments of the present disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The present disclosure is intended to cover any variations, uses, or adaptations of the disclosure that follow the general principles of the disclosure and include common common sense or customary technical means in the technical field that are not disclosed in the disclosure. . It is intended that the specification and embodiments be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It is to be understood that the present disclosure is not limited to the precise structures described above and illustrated in the accompanying drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the disclosure is limited only by the appended claims.

Claims (11)

A user authentication and authorization processing method, which is applied to network access and cloud service authentication and cloud resource authorization. The method includes: In response to receiving an authentication request sent by the access gateway, perform access authentication of the user terminal, wherein the authentication request is generated by the user terminal and sent to the access gateway; Initiate a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request; Initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection request. The method according to claim 1, wherein the initiating a cloud service authentication request to the cloud service authentication module so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request includes: : Send a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module obtains cloud service authentication information based on the cloud service authentication request, and performs cloud service authentication of the user terminal based on the cloud service authentication information. The method according to claim 2, wherein after receiving the cloud service authentication request, the cloud service authentication module initializes the cloud service authentication information corresponding to the user terminal, and completes the required steps based on the cloud service authentication information. The cloud service authentication of the user terminal obtains cloud resource authorization parameters, and returns the cloud service authentication result and the cloud resource authorization parameters to the authentication server. The method according to claim 1, wherein the cloud network interoperability detection request is initiated to the cloud network interoperability detection module, so that the cloud network interoperability detection module performs the cloud network interoperability detection request of the user terminal based on the cloud network interoperability detection request. Network interoperability detection, including: Initiating a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module obtains cloud-network interoperability detection parameters based on the cloud-network interoperability detection request, and performs user-related operations based on the cloud-network interoperability detection parameters. Terminal cloud-network interoperability detection. The method according to claim 4, wherein after receiving the cloud network interoperability detection request, the cloud network interoperability detection module initializes the detection record of the user terminal, and determines the cloud network interoperability detection parameter according to the cloud network interoperability detection parameter. network interoperability detection strategy, and deliver the parameter information of the cloud resource pool access terminal and the cloud network interoperability detection strategy to the access gateway, so that the access gateway provides the cloud network interoperability detection strategy to the cloud resource based on the cloud network interoperability detection strategy. The pool access terminal initiates cloud-network interoperability detection and returns the cloud-network interoperability detection result to the cloud-network interoperability detection module. The method according to claim 1, wherein if the access authentication of the user terminal passes, the method further includes: Return the access authentication result and access authorization parameters corresponding to the user terminal to the access gateway, so that the access gateway performs configuration according to the access authentication result and the access authorization parameters. The method according to claim 1, wherein if the cloud service authentication of the user terminal passes, the method further includes: Receive the cloud service authentication result and cloud resource authorization parameters corresponding to the user terminal returned by the cloud service authentication module; Return the cloud service authentication result and the cloud resource authorization parameter corresponding to the user terminal to the access gateway, so that the access gateway determines the cloud service authentication result and the cloud resource authorization parameter according to the cloud service authentication result and the cloud resource authorization parameter. to configure. The method of claim 1, further comprising: Receive the cloud-network interoperability detection result corresponding to the user terminal returned by the cloud-network interoperability detection module, and return the cloud-network interoperability detection result corresponding to the user terminal to the access gateway, so that the access gateway The ingress gateway performs configuration according to the cloud network interoperability detection results. A user authentication and authorization processing device, which is used for network access and cloud service authentication and cloud resource authorization. The device includes: An access authentication module, configured to perform access authentication of the user terminal in response to receiving an authentication request sent by the access gateway, wherein the authentication request is generated by the user terminal and sent to the access gateway; A cloud service authentication initiation module, configured to initiate a cloud service authentication request to the cloud service authentication module, so that the cloud service authentication module performs cloud service authentication of the user terminal based on the cloud service authentication request; A cloud-network interoperability detection initiating module is configured to initiate a cloud-network interoperability detection request to the cloud-network interoperability detection module, so that the cloud-network interoperability detection module performs cloud-network interoperability detection on the user terminal based on the cloud-network interoperability detection request. A computer-readable storage medium on which a computer program is stored, wherein the method of any one of claims 1 to 8 is implemented when the computer program is executed by a processor. An electronic device, including: processor; and memory for storing executable instructions for the processor; wherein the processor is configured to perform the method of any one of claims 1 to 8 via execution of the executable instructions.

Images